Do Not Track Implementation Guide Launched

Today we are releasing the implementation guide for EFF’s Do Not Track (DNT) policy. For years users have been able to set a Do Not Track signal in their browser, but there has been little guidance for websites as to how to honor that request. EFF’s DNT policy sets out a meaningful response for servers to follow, and this guide provides details about how to apply it in practice.

At its core, DNT protects user privacy by excluding the use of unique identifiers for cross-site tracking, and by limiting the retention period of log data to ten days. This short retention period gives sites the time they need for debugging and security purposes, and to generate aggregate statistical data. From this baseline, the policy then allows exceptions when the user's interactions with the site—e.g., to post comments, make a purchase, or click on an ad—necessitates collecting more information. The site is then free to retain any data necessary to complete the transaction. We believe this approach balances users’ privacy expectations with the ability of websites to deliver the functionality users want.

Websites often integrate third-party content and rely on third-party services (like content delivery networks or analytics), and this creates the potential for user data to be leaked despite the best intentions of the site operator. The guide identifies potential pitfalls and catalogs providers of compliant services. It is common, for example, to embed media from platforms like You Tube, Sound Cloud, and Twitter, all of which track users whenever their widgets are loaded. Fortunately, Embedly, which offers control over the appearance of embeds, also supports DNT via its API, displaying a poster instead and loading the widget only if the user clicks on it knowingly.

Knowledge makes the difference between willing tracking and non-consensual tracking. Users should be able to choose whether they want to give up their privacy in exchange for using a site or a particular feature. This means sites need to be transparent about their practices. A great example of this is our biggest adopter, Medium, which does not track DNT users who browse the site and gives clear information about tracking to users when they choose to log in. This is their previous log-in panel, the DNT language is currently being added to their new interface.

The guide exists as a Git repository and will evolve. We want your contributions and invite you to use it as a space to share advice on web privacy engineering. If you have suggestions for other DNT-compliant service providers, please submit them. We are also looking for configurations for Windows servers to limit log collection (we are providing example code for Nginx, Apache and Logrotate). In the future, EFF will add sections dedicated to advertising and commenting systems.

When sites respect DNT, they show respect for users, reduce the risks of leaks, keep identifying data beyond the reach of law enforcement requests, and have their resources unblocked by tracker blockers such as Privacy Badger, Disconnect and AdNauseam. From 2018, there will be an additional reason. Any site collecting data from users in the European Union will be subject to strict limitations on their collection and processing practices, regardless of where they are based. Violations are punishable with large fines: up 20 million dollars or 4% of global turnover! EFF’s DNT policy is not a comprehensive solution to the obligations created by the General Data Protection Regulation, but it is the right start.

To dive in and learn more about DNT implementation, check out the guide here.

When new users try Privacy Badger, they often get confused about why Privacy Badger isn’t blocking anything right away. But that’s because Privacy Badger learns about trackers as you browse; up until now, it hasn’t been able to block trackers on the first few sites it sees after being installed.

Browser fingerprinting is on a collision course with privacy regulations. For almost a decade, EFF has been raising awareness about this tracking technique with projects like Panopticlick. Compared to more well-known tracking “cookies,” browser fingerprinting is trickier for users and browser extensions to combat: websites can do it without...

Mark Zuckerberg, Facebook’s founder and CEO, thinks people want targeted advertising. The “overwhelming feedback,” he said multipletimes during his congressional testimony, was that people want to see “good and relevant” ads. Why then are so many Facebook users, including leaders of state in...

The latest update to Privacy Badger brings a new onboarding process and other improvements. The new onboarding process will make Privacy Badger easier to use and understand. These latest changes are just some of the many improvements EFF has made to the project, with more to come! ...

With Facebook in a dominant position in hosting a huge portion of the world’s social conversation, we’ve been worried about the incredible power the company has accumulated and the risks that poses to privacy and democratic conversation. Last week’s news about Facebook and Cambridge Analytica has shown that our worst...

In June, Twitter discontinued its support for Do Not Track (DNT), the privacy-protective browser signal it has honored since 2012. EFF argued that Twitter should reconsider this decision, but that call has gone unheeded. In response, EFF’s Privacy Badger has new features to mitigate user tracking both...

Recently Google and Apple announced plans to respond to complaints about online advertising. Both companies will implement changes to their browsers to neutralize some of the most annoying ad formats, but only Apple has chosen to address concerns around user privacy. Starting sometime in 2018, Google's Chrome browser will begin...

Twitter plans to roll out a new privacy policy on June 18, and, with it, is promising to roll back its longstanding commitment to obey the Do Not Track (DNT) browser privacy setting. Instead, the company is switching to the Digital Advertising Alliance's toothless and...